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The Snowden Files: British Spies Used Sex and 'Dirty Tricks' 
Slideshow No. 1 

GCHQ, the British signals intelligence agency, prepared the 
following slides for a top-secret spy conference in 2012, describing 
cyber operations. The slides focus on the efforts of a unit, the Joint 
Intelligence Threat Research Group, or JTRIG. According to the 
documents, JTRIG conducts "honey traps," sends adversaries 
computer viruses, deletes their online presence, and employs 
several other tactics. Documents previously published by NBC 
News showed JTRIG engaged in cyber attacks on the hacktivist 
collective known as Anonymous. 

The slides were leaked by former NS A ontractor Edward Snowden 
and obtained exclusively by NBC News. NBC News is publishing 
the documents with minimal redactions to protect individuals. The 
presenter's notes for the slideshow are included. 
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JTRIG- Co retfzu n cto 




JTRIG has the following core functions: 

* Covert Internet Investigations 

* Forensic Investigation and Analysis 

* Active Covert Internet Operations, (including online Humint and Effects) 

* Covert Technical Operations 

* Provision of Unattributable Internet Access 

* Development of new capability 



Explanation of the “base-line” for JTRIG-related work and make-up: 

The structure of JTRIG: 

- Ops / Technical (Cap Dev) / JBOS. 

Mention the “Online Covert Action Accreditation” Programme. 

- Commenced September 2011. 

- Initially for JTRIG staff. 

- A small number of ISD analysts now being accepted on courses. 

Main skills covered: 

- Information & Influence Operations. 

- Online Humint. 

- Disruption & CNA. 

- Briefing to be provided by 
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Development of new capability: 

- Capabilities being developed to access data from various internet services 

- How these data sources may help to mitigate the loss that passive access could 
suffer to encryption etc 

- How to look further at integrating /fusing these data sources into our analytic stores 
and workflows 
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"Using online techniques to make something 
happen in the real or cyber world" 

Two broad categories: 

- Information Ops (influence or disruption) 

- Technical disruption 

Known in GCHQ as Online Covert Action 
The 4 D's: Deny / Disrupt / Degrade / Deceive 



Key statement is the initial one. 



Explain the categories more. 



The one thing to remember for JTRIG is the 4 “D’s”. 
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Stop Someone 




Bombard their phone with text messages 



Bombard their phone with calls 



Delete their online presence 
Block up their fax machine 













SMO examples from Afghanistan. 

- Significantly disrupting Taleban Operations. 

- Sending targets a text message every 1 0 seconds or so. 

- Calling targets consistently on a regular basis. 

Ability to delete a target’s online presence. Very annoying!! 



Older type of Effects, but faxes are still used in some areas. 
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Discredit a lagggf 




Set up a honey-trap 



Change their photos on social networking sites 



Write a blog purporting to be one of their victims 



Email/text their colleagues, neighbours, friends etc 



Honey-trap; a great option. Very successful when it works. 

- Get someone to go somewhere on the internet, or a physical location to be 
met by a “friendly face”. 

- JTRIG has the ability to “shape” the environment on occasions. 



Photo change; you have been warned, “JTRIG is about! !” 
Can take “paranoia” to a whole new level. 



Blog writing: 

- Has worked on a number of different Ops. 

- One example is on a Serious Crime OpJ 

- Other examples on Iran work. 



Email/text: 

- Infiltration work. 

- Helps JTRIG acquire credibility with online groups etc. 
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- Helps with bringing SIGINT/Effects together. 






Info Ops style work: 

- Use of Open Source info and/or releasable Sigint items. 

- Attempts to inform the public, where necessary (government protected 
environment) 

- First stages of disruption and/or discrediting companies / organisations 




- Stop /divert the flow of funding. Introduce panic etc. 
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ref another country to 
believe a^secret 




• Place 'secret' information on a compromised 
computer 

• Send 'secret' information across a network visible 
to Sigint 



Provide 'secret' information through an online 
agent 



Work alongside CNE: 

- Use of various masquerade type techn iques. 

- Placement of potential “damming” information, where appropriate. 

Visible networks: 

- Shape the environment, so that Sigint can provide BDA for Operations. 

- Use of releasable information, (support from SIA’s etc). 

Online agent: 

- Use of online aliases to good effect. 

- Visibly shaping the online environment. 
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Stop someor 
omputer fromwo 




• Send them a virus: 

• AMBASSADORS RECEPTION - encrypt itself, delete 
all emails, encrypt all files, make screen shake, no 
more log on 

• Conduct a Denial of Service attack on their computer 
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Virus sending: 

- Use of various JTRIG tools, including AMBASSADORS RECEPTION. 

- Has been used in a variety of different areas, very effective. 
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• Use of active techniques to collect intelligence required 



to map out: 

- Who does what? 

- What institutions etc are being used? 

- What companies? 

- Who sets up the websites? 

- How do they communicate between ministeries 
and / or each other? 

- How do they communicate to investors? 

- How do they store information? 



Some basic questions, that are normally associated with scoping potential 
Active Ops. 



In essence Intelligence Analysts use SIGINT to answer the “pattern of life” 
question. 



But. .. do they know the “online - pattern of life” for their target set?? 



Do the analyst’s know not just what their target is doing, but what is it 
thinking?? 
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• How do we measure the impact of "effects"? 



• "Blitz" style approach: 

- Creating as much disruption as possible within a 
short period of time 

• More subtle approach: 

- Effects use less likely to be detected, therefore 

- More sustainable over a longer period of time 



Two main ways to measure the impact of “Effects” Operations, 
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Pros: 



Provide an opportunity for JTRIG analysts to be 
more actively involved with ISD counterparts 

Enable further upskilling (e.g, C2C etc) 

Provide JTRIG analysts with the opportunity to 
identify CNA-type options a lot earlier in Operations 



Provides ISD analysts a greater baseline and 
understanding of JTRIG work 



• An Opportunity for analysts to learn new ACNO 
skills, (e.g. On-line HUMINT etc) 
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Cons: 



Current lack of JTRIG IT infrastructure on the general 
floor-plate 

Lack of wider resource investment 

Lack of overall training and support resources 



Integration process will be resource intensive for CDO 




